08-24-2009 04:43 PM - edited 03-10-2019 04:39 PM
Hi,
Here is my ACS setup
1. we two NDG groups under network configuration tab,
one group is for common network devices like routers and switches,
and the other group we have special devices like VPN router & internet routers.
and coming to user details:
2. we have two different types of user groups
one is having fullaccess to both the NDG groups
other group is having readonly access to both NDG groups
Now my problem is i have to provide the read/write access to some of the users
who are in read only access group that to only for special devices NDG group not the common network NDG group.
i mean he has to get full access to one NDG and read only access to other.
Can some one help me in this..
08-26-2009 09:50 AM
You need to set up command authorization using "Assign a Shell Command Authorization Set on a per Network Device Group Basis "
Regards,
~JG
Do rate helpful posts
08-26-2009 06:37 PM
What about setting up a 3rd group called power users (or what ever you want to call it), then allow the 'special' users full access to both devices groups but limit their command access to the read only group. Using command shell auth, as suggested by JG.
You can actually setup some ACS groups where read only users get level 15 access to devices but they can only perform 'show' related commands even thou they have enable access. You have the ability to do a 'deny' against 'conf t' attempts
Also you can user Network Device restrictions if you dont want them to access particular devices at all
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: